You are here

September 2014 update

Cyber security is about risk reduction, not risk prevention. No system can ever be 100% secure, particularly when constrained by financial resources and the exposure to human error or behaviour.

The law governing data security is similarly not absolute. For example, the Data Protection Act 1998 ("DPA") demands that an organisation has "appropriate" technical and organisational security measures.

An organisation is left to determine what might be "appropriate" and a recent decision has highlighted the need for an organisation to continually review what might be "appropriate" in accordance with the ICO's guidance.

This month, the ICO criticised the Racing Post for falling short of the standard required by the DPA. Racing Post was subject to an internet based SQL attack which gave the attacker access to the personal data of over 600,000 customers. The ICO demanded that the Racing Post undertake to ensure that up-to-date security patches are in place and arrange regular security testing.

In sanctioning Racing Post, the ICO's decision emphasises the need to observe the specific technical security measures set out in the ICO's own guidance published earlier this year (see our June newsletter - the ICO's Top 8 Reasons for Data Breaches). The ICO's decision affirms that security assessments are not a one off event – they need to be regularly conducted and updated.

On the basis that an organisation will never be 100% secure, records of regular security assessments are crucial to defending reputation and legal liability. The inevitable nature of security breaches, regardless of financial and technical resources, was highlighted by the recent "hacks" of celebrity Apple iCloud accounts.

Over the last month, photos of 101 celebrities were allegedly obtained from Apple's iCloud before being published on photo sharing website, 4Chan. Apple immediately investigated the breach and determined that it was the users' passwords which were the weak link. If true, this hack is an example of how the most sophisticated security can be breached as a result of human error. Whether this incident was caused by the accidental disclosure of passwords, the use of insecure passwords, or the failure to regularly update those passwords, it highlights how hackers are willing to exploit the cracks in security caused by human error.